Understanding PSD2 and Strong Customer Authentication

Payments is a key part of the shopping experience no matter where and what you’re selling, but it’s especially important online, where trust and security are top of mind.

If you’re selling in the European Economic Area (EEA), you may have heard about the revised Payment Services Directive (PSD2). It’s a regulatory requirement intended to increase protection against fraud for online purchases and will have some impact on businesses in the EEA.

Below, we’ll help you navigate these complexities of selling so you can focus on running and growing your business. Here’s an overview of what’s happening and what it means for you.

What is the revised Payment Services Directive (PSD2)?

The revised Payments Services Directive (PSD2) regulates the payments industry in the European Union. One of the major updates that comes into effect this year is stronger protection for customers who shop online using their debit and credit cards. This protects you too: fewer fraudulent charges is good for everyone.

To comply with these new regulations, you’ll need to make sure you have Strong Customer Authentication (SCA) to help mitigate card-not-present fraud from payments accepted from European buyers.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication is similar to what many people refer to as two-factor authentication: if a customer is buying online using their debit or credit card, SCA may require them to use two forms of authentication. As an example, instead of just entering their PIN or password, Strong Customer Authentication would prompt a customer to enter a code generated on their banking app as a second step. This makes it harder for fraudulent transactions to get through.

Customers are asked to enter this information only when it’s required, through a technology known as 3D Secure—an extra layer of security that customers have to enter during checkout to authenticate themselves. Your customers will see the 3D Secure indicator start to show up on orders after PSD2 comes into effect.

What does PSD2 mean for Shopify merchants?

If you’re using Shopify Payments to process credit or debit cards in Germany, Denmark, Ireland, the Netherlands, Spain, or the United Kingdom, you don’t need to do anything. You’ll be compliant in time for the September 14, 2019, deadline automatically. Shopify Payments is optimized to minimize the use of 3D Secure. It will only use 3D Secure when absolutely required by the issuing bank in order for a transaction to be authorized successfully.

If you’re using Stripe to process credit or debit cards in Austria, Belgium, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Lithuania, Luxemburg, the Netherlands, Norway, Poland, Portugal, Spain, Sweden, or the UK, you’ll also be fully compliant with PSD2 before the deadline and be able to offer SCA without any changes.

Local payment methods such as iDeal and Klarna, and wallets like Google Pay, Apple Pay, and PayPal Express, are already compliant with the regulation and require no action for merchants.

For merchants who want to stay on their third-party gateways, they will not automatically be in compliance with PSD2 on September 14. To be in compliance, we recommend these merchants create a connection with Cardinal Commerce. These merchants will be prompted within their Shopify admin that Cardinal Commerce is available for them, and the onus is on the merchant to decide if and when they want to sign up and enable this solution. We recommend that merchants take this action as soon as possible in order to meet the September 14 deadline.

When will PSD2 be enforced?

We anticipate that the enforcement of the SCA requirement will be phased and fragmented across Europe (see updates by country). As an example, earlier this month, the UK regulator granted an 18-month phase-in period to give banks and businesses more time to prepare for these new requirements. The biggest impact of this uncertainty is on merchants not using Shopify Payments or Stripe.

Over the next 18 months, merchants will start seeing orders that have used SCA for payment processing within their Shopify orders page. Orders paid with debit or credit cards that have gone through 3D Secure will have 3D Secure (3DS) noted beside the order timeline. This means the buyer’s identity has been confirmed by the bank who issued the card and the transaction will default to low risk. There is no action required for the merchant within the orders page for these transactions.